Guided Retraining to Enhance the Detection of Difficult Android Malware
Pages 1131 - 1143
Abstract
The popularity of Android OS has made it an appealing target for malware developers. To evade detection, including by ML-based techniques, attackers invest in creating malware that closely resemble legitimate apps, challenging the state of the art with difficult-to-detect samples. In this paper, we propose Guided Retraining, a supervised representation learning-based method for boosting the performance of malware detectors. To that end, we first split the experimental dataset into subsets of “easy” and “difficult” samples, where difficulty is associated to the prediction probabilities yielded by a malware detector. For the subset of “easy” samples, the base malware detector is used to make the final predictions since the error rate on that subset is low by construction. Our work targets the second subset containing “difficult” samples, for which the probabilities are such that the classifier is not confident on the predictions, which have high error rates. We apply our Guided Retraining method on these difficult samples to improve their classification. Guided Retraining leverages the correct predictions and the errors made by the base malware detector to guide the retraining process. Guided Retraining learns new embeddings of the difficult samples using Supervised Contrastive Learning and trains an auxiliary classifier for the final predictions. We validate our method on four state-of-the-art Android malware detection approaches using over 265k malware and benign apps. Experimental results show that Guided Retraining can boost state-of-the-art detectors by eliminating up to 45.19% of the prediction errors that they make on difficult samples. We note furthermore that our method is generic and designed to enhance the performance of binary classifiers for other tasks beyond Android malware detection.
References
[1]
Fahad Akbar, Mehdi Hussain, Rafia Mumtaz, Qaiser Riaz, Ainuddin Wahid Abdul Wahab, and Ki-Hyun Jung. 2022. Permissions-Based Detection of Android Malware Using Machine Learning. Symmetry, 14, 4 (2022), 718. https://doi.org/10.3390/sym14040718
[2]
Kevin Allix, Tegawendé F. Bissyandé, Jacques Klein, and Yves Le Traon. 2016. AndroZoo: Collecting Millions of Android Apps for the Research Community. In Proceedings of the 13th International Conference on Mining Software Repositories (MSR ’16). ACM, New York, NY, USA. 468–471. isbn:978-1-4503-4186-8 https://doi.org/10.1145/2901739.2903508
[3]
Kevin Allix, Tegawendé F. Bissyandé, Jacques Klein, and Yves LeTraon. 2015. Are Your Training Datasets Yet Relevant? In Engineering Secure Software and Systems, Frank Piessens, Juan Caballero, and Nataliia Bielova (Eds.). Springer International Publishing, Cham. 51–67. isbn:978-3-319-15618-7 https://doi.org/10.1007/978-3-319-15618-7_5
[4]
Daniel Arp, Michael Spreitzenbarth, Malte Hübner, Hugo Gascon, and Konrad Rieck. 2014. Drebin: Efficient and explainable detection of android malware in your pocket. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS), San Diego, CA. https://doi.org/10.14722/ndss.2014.23247
[5]
Mariam Barque, Simon Martin, Jérémie Etienne Norbert Vianin, Dominique Genoud, and David Wannier. 2018. Improving wind power prediction with retraining machine learning algorithms. In 2018 International Workshop on Big Data and Information Security (IWBIS). 43–48. https://doi.org/10.1109/IWBIS.2018.8471713
[6]
Cheng-Yi Chiang, Nai-Fu Chang, Tung-Chien Chen, Hong-Hui Chen, and Liang-Gee Chen. 2011. Seizure prediction based on classification of EEG synchronization patterns with on-line retraining and post-processing scheme. In 2011 Annual International Conference of the IEEE Engineering in Medicine and Biology Society. 7564–7569. https://doi.org/10.1109/IEMBS.2011.6091865
[7]
Nadia Daoudi, Kevin Allix, Tegawendé F Bissyandé, and Jacques Klein. 2021. Lessons Learnt on Reproducibility in Machine Learning Based Android Malware Detection. Empirical Software Engineering, 26, 4 (2021), 1–53. issn:1573-7616 https://doi.org/10.1007/s10664-021-09955-7
[8]
Nadia Daoudi, Kevin Allix, Tegawendé F Bissyandé, and Jacques Klein. 2023. Assessing the opportunity of combining state-of-the-art Android malware detectors. Empirical Software Engineering, 28, 2 (2023), 22. https://doi.org/10.1007/s10664-022-10249-9
[9]
Nadia Daoudi, Jordan Samhi, Abdoul Kader Kabore, Kevin Allix, Tegawendé F. Bissyandé, and Jacques Klein. 2021. DexRay: A Simple, yet Effective Deep Learning Approach to Android Malware Detection Based on Image Representation of Bytecode. In Deployable Machine Learning for Security Defense, Gang Wang, Arridhana Ciptadi, and Ali Ahmadzadeh (Eds.). Springer International Publishing, Cham. 81–106. isbn:978-3-030-87839-9 https://doi.org/10.1007/978-3-030-87839-9_4
[10]
Yuxin Ding, Xiao Zhang, Jieke Hu, and Wenting Xu. 2020. Android malware detection method based on bytecode image. Journal of Ambient Intelligence and Humanized Computing, 1–10. https://doi.org/10.1007/s12652-020-02196-4
[11]
Yujie Fan, Mingxuan Ju, Shifu Hou, Yanfang Ye, Wenqiang Wan, Kui Wang, Yinming Mei, and Qi Xiong. 2021. Heterogeneous Temporal Graph Transformer: An Intelligent System for Evolving Android Malware Detection. In Proceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery & Data Mining (KDD ’21). Association for Computing Machinery, New York, NY, USA. 2831–2839. isbn:9781450383325 https://doi.org/10.1145/3447548.3467168
[12]
Pedro F Felzenszwalb, Ross B Girshick, David McAllester, and Deva Ramanan. 2009. Object detection with discriminatively trained part-based models. IEEE transactions on pattern analysis and machine intelligence, 32, 9 (2009), 1627–1645. https://doi.org/10.1109/TPAMI.2009.167
[13]
Lei Feng and Bo An. 2019. Partial Label Learning with Self-Guided Retraining. Proceedings of the AAAI Conference on Artificial Intelligence, 33, 01 (2019), Jul., 3542–3549. https://doi.org/10.1609/aaai.v33i01.33013542
[14]
Yoav Freund and Robert E Schapire. 1997. A Decision-Theoretic Generalization of On-Line Learning and an Application to Boosting. J. Comput. System Sci., 55, 1 (1997), 119–139. issn:0022-0000 https://doi.org/10.1006/jcss.1997.1504
[15]
Joshua Garcia, Mahmoud Hammad, and Sam Malek. 2018. Lightweight, Obfuscation-Resilient Detection and Family Identification of Android Malware. ACM Trans. Softw. Eng. Methodol., 26, 3 (2018), Article 11, Jan., 29 pages. issn:1049-331X https://doi.org/10.1145/3162625
[16]
Ross Girshick, Jeff Donahue, Trevor Darrell, and Jitendra Malik. 2014. Rich feature hierarchies for accurate object detection and semantic segmentation. In Proceedings of the IEEE conference on computer vision and pattern recognition. 580–587. https://doi.org/10.1109/CVPR.2014.81
[17]
Ian Goodfellow, Jean Pouget-Abadie, Mehdi Mirza, Bing Xu, David Warde-Farley, Sherjil Ozair, Aaron Courville, and Yoshua Bengio. 2014. Generative Adversarial Nets. In Advances in Neural Information Processing Systems, Z. Ghahramani, M. Welling, C. Cortes, N. Lawrence, and K.Q. Weinberger (Eds.). 27, Curran Associates, Inc. https://proceedings.neurips.cc/paper/2014/file/5ca3e9b122f61f8f06494c97b1afccf3-Paper.pdf
[18]
Haibo He, Yang Bai, Edwardo A. Garcia, and Shutao Li. 2008. ADASYN: Adaptive synthetic sampling approach for imbalanced learning. In 2008 IEEE International Joint Conference on Neural Networks (IEEE World Congress on Computational Intelligence). 1322–1328. https://doi.org/10.1109/IJCNN.2008.4633969
[19]
Shifu Hou, Yujie Fan, Yiming Zhang, Yanfang Ye, Jingwei Lei, Wenqiang Wan, Jiabin Wang, Qi Xiong, and Fudong Shao. 2019. <i>α Cyber</i>: Enhancing Robustness of Android Malware Detection System against Adversarial Attacks on Heterogeneous Graph Based Model. In Proceedings of the 28th ACM International Conference on Information and Knowledge Management (CIKM ’19). Association for Computing Machinery, New York, NY, USA. 609–618. isbn:9781450369763 https://doi.org/10.1145/3357384.3357875
[20]
Ming Huang, Fuzhen Zhuang, Xiao Zhang, Xiang Ao, Zhengyu Niu, Min-Ling Zhang, and Qing He. 2019. Supervised representation learning for multi-label classification. Machine Learning, 108, 5 (2019), 747–763. https://doi.org/10.1007/s10994-019-05783-5
[21]
T. H. Huang and H. Kao. 2018. R2-D2: ColoR-inspired Convolutional NeuRal Network (CNN)-based AndroiD Malware Detections. In 2018 IEEE International Conference on Big Data (Big Data). 2633–2642. https://doi.org/10.1109/BigData.2018.8622324
[22]
Prannay Khosla, Piotr Teterwak, Chen Wang, Aaron Sarna, Yonglong Tian, Phillip Isola, Aaron Maschinot, Ce Liu, and Dilip Krishnan. 2020. Supervised Contrastive Learning. In Advances in Neural Information Processing Systems, H. Larochelle, M. Ranzato, R. Hadsell, M.F. Balcan, and H. Lin (Eds.). 33, Curran Associates, Inc., 18661–18673. https://proceedings.neurips.cc/paper/2020/file/d89a66c7c80a29b1bdbab0f2a1a94af8-Paper.pdf
[23]
Vasileios Kouliaridis and Georgios Kambourakis. 2021. A Comprehensive Survey on Machine Learning Techniques for Android Malware Detection. Information, 12, 5 (2021), issn:2078-2489 https://doi.org/10.3390/info12050185
[24]
Xiaoya Li, Xiaofei Sun, Yuxian Meng, Junjun Liang, Fei Wu, and Jiwei Li. 2020. Dice Loss for Data-imbalanced NLP Tasks. In Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics. Association for Computational Linguistics, Online. 465–476. https://doi.org/10.18653/v1/2020.acl-main.45
[25]
Yi Li and Nuno Vasconcelos. 2020. Background data resampling for outlier-aware classification. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 13218–13227. https://doi.org/10.1109/CVPR42600.2020.01323
[26]
Tsung-Yi Lin, Priya Goyal, Ross Girshick, Kaiming He, and Piotr Dollar. 2017. Focal Loss for Dense Object Detection. In Proceedings of the IEEE International Conference on Computer Vision (ICCV). https://doi.org/10.1109/ICCV.2017.324
[27]
K. Liu, S. Xu, G. Xu, M. Zhang, D. Sun, and H. Liu. 2020. A Review of Android Malware Detection Approaches Based on Machine Learning. IEEE Access, 8 (2020), 124579–124607. https://doi.org/10.1109/ACCESS.2020.3006143
[28]
Yue Liu, Chakkrit Tantithamthavorn, Li Li, and Yepang Liu. 2022. Deep Learning for Android Malware Defenses: A Systematic Literature Review. ACM Comput. Surv., 55, 8 (2022), Article 153, dec, 36 pages. issn:0360-0300 https://doi.org/10.1145/3544968
[29]
Mohammad Mahdi Maghouli, Mohamadreza Fereydooni, Monireh Abdoos, and Mojtaba Vahidi-Asl. 2021. Malfustection: Obfuscated Malware Detection and Malware Classification with Data Shortage by Combining Semi-Supervised and Contrastive Learning. arXiv preprint arXiv:2111.09975, https://doi.org/10.48550/arXiv.2111.09975
[30]
Arvind Mahindru and AL Sangal. 2021. MLDroid—framework for Android malware detection using machine learning techniques. Neural Computing and Applications, 33, 10 (2021), 5183–5240. https://doi.org/10.1007/s00521-020-05309-4
[31]
Enrico Mariconti, Lucky Onwuzurike, Panagiotis Andriotis, Emiliano De Cristofaro, Gordon Ross, and Gianluca Stringhini. 2017. MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models. In ISOC Network and Distributed Systems Security Symposiym (NDSS). San Diego, CA. https://doi.org/10.14722/ndss.2017.23353
[32]
Stuart Millar, Niall McLaughlin, Jesus Martinez del Rincon, and Paul Miller. 2021. Multi-view deep learning for zero-day Android malware detection. Journal of Information Security and Applications, 58 (2021), 102718. https://doi.org/10.1016/j.jisa.2020.102718
[33]
Jun-Gyu Park, Hang-Bae Jun, and Tae-Young Heo. 2021. Retraining prior state performances of anaerobic digestion improves prediction accuracy of methane yield in various machine learning models. Applied Energy, 298 (2021), 117250. issn:0306-2619 https://doi.org/10.1016/j.apenergy.2021.117250
[34]
Feargus Pendlebury, Fabio Pierazzi, Roberto Jordaney, Johannes Kinder, and Lorenzo Cavallaro. 2019. TESSERACT: Eliminating Experimental Bias in Malware Classification across Space and Time. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA. 729–746. isbn:978-1-939133-06-9 https://www.usenix.org/conference/usenixsecurity19/presentation/pendlebury
[35]
PyTorch. https://pytorch.org [Online; accessed 30-August-2022]
[36]
Alain Rakotomamonjy. 2017. Supervised Representation Learning for Audio Scene Classification. IEEE/ACM Transactions on Audio, Speech, and Language Processing, 25, 6 (2017), 1253–1265. https://doi.org/10.1109/TASLP.2017.2690561
[37]
scikit learn. https://scikit-learn.org [Online; accessed 30-August-2022]
[38]
scikit learn. https://scikit-learn.org/stable/modules/classes.html [Online; accessed 30-August-2022]
[39]
Tejpal Sharma and Dhavleesh Rattan. 2021. Malicious application detection in android — A systematic literature review. Computer Science Review, 40 (2021), 100373. issn:1574-0137 https://doi.org/10.1016/j.cosrev.2021.100373
[40]
Yan Song, Yibin Li, Lei Jia, and Meikang Qiu. 2020. Retraining Strategy-Based Domain Adaption Network for Intelligent Fault Diagnosis. IEEE Transactions on Industrial Informatics, 16, 9 (2020), 6163–6171. https://doi.org/10.1109/TII.2019.2950667
[41]
Tiezhu Sun, Nadia Daoudi, Kevin Allix, and Tegawendé F. Bissyandé. 2021. Android Malware Detection: Looking beyond Dalvik Bytecode. In Proceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASE ’21). https://doi.org/10.1109/ASEW52652.2021.00019
[42]
Jiachen Tian, Shizhan Chen, Xiaowang Zhang, Zhiyong Feng, Deyi Xiong, Shaojuan Wu, and Chunliu Dou. 2021. Re-embedding Difficult Samples via Mutual Information Constrained Semantically Oversampling for Imbalanced Text Classification. In Proceedings of the 2021 Conference on Empirical Methods in Natural Language Processing. Association for Computational Linguistics, Online and Punta Cana, Dominican Republic. 3148–3161. https://doi.org/10.18653/v1/2021.emnlp-main.252
[43]
Yonglong Tian. 2020. https://github.com/HobbitLong/SupContrast [Online; accessed 30-August-2022]
[44]
Austin Tripp, Erik Daxberger, and José Miguel Hernández-Lobato. 2020. Sample-Efficient Optimization in the Latent Space of Deep Generative Models via Weighted Retraining. In Advances in Neural Information Processing Systems, H. Larochelle, M. Ranzato, R. Hadsell, M.F. Balcan, and H. Lin (Eds.). 33, Curran Associates, Inc., 11259–11272. https://proceedings.neurips.cc/paper/2020/file/81e3225c6ad49623167a4309eb4b2e75-Paper.pdf
[45]
VirusTotal. https://www.virustotal.com [Online; accessed 30-August-2022]
[46]
Mike Walmsley, Anna MM Scaife, Chris Lintott, Michelle Lochner, Verlon Etsebeth, Tobias Géron, Hugh Dickinson, Lucy Fortson, Sandor Kruk, and Karen L Masters. 2021. Practical Galaxy Morphology Tools from Deep Supervised Representation Learning. arXiv preprint arXiv:2110.12735, https://doi.org/10.1093/mnras/stac525
[47]
Xiaohui Wan, Zheng Zheng, Fangyun Qin, Yu Qiao, and Kishor S. Trivedi. 2019. Supervised Representation Learning Approach for Cross-Project Aging-Related Bug Prediction. In 2019 IEEE 30th International Symposium on Software Reliability Engineering (ISSRE). 163–172. https://doi.org/10.1109/ISSRE.2019.00025
[48]
Yinjun Wu, Edgar Dobriban, and Susan Davidson. 2020. DeltaGrad: Rapid retraining of machine learning models. In Proceedings of the 37th International Conference on Machine Learning, Hal Daumé III and Aarti Singh (Eds.) (Proceedings of Machine Learning Research, Vol. 119). PMLR, 10355–10366. https://proceedings.mlr.press/v119/wu20b.html
[49]
Yueming Wu, Shihan Dou, Deqing Zou, Wei Yang, Weizhong Qiang, and Hai Jin. 2021. Obfuscation-resilient Android Malware Analysis Based on Contrastive Learning. arXiv preprint arXiv:2107.03799, https://doi.org/10.48550/arXiv.2107.03799
[50]
Y. Wu, X. Li, D. Zou, W. Yang, X. Zhang, and H. Jin. 2019. MalScan: Fast Market-Wide Mobile Malware Scanning by Social-Network Centrality Analysis. In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). 139–150. https://doi.org/10.1109/ASE.2019.00023
[51]
Limin Yang, Wenbo Guo, Qingying Hao, Arridhana Ciptadi, Ali Ahmadzadeh, Xinyu Xing, and Gang Wang. 2021. CADE: Detecting and Explaining Concept Drift Samples for Security Applications. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 2327–2344. isbn:978-1-939133-24-3 https://www.usenix.org/conference/usenixsecurity21/presentation/yang-limin
[52]
Nan Zhang, Yu an Tan, Chen Yang, and Yuanzhang Li. 2021. Deep learning feature exploration for Android malware detection. Applied Soft Computing, 102 (2021), 107069. issn:1568-4946 https://doi.org/10.1016/j.asoc.2020.107069
[53]
Q. Zhao. 2001. Training and retraining of neural network trees. In IJCNN’01. International Joint Conference on Neural Networks. Proceedings (Cat. No.01CH37222). 1, 726–731 vol.1. https://doi.org/10.1109/IJCNN.2001.939114
[54]
Rui Zhu, Chenglin Li, Di Niu, Hongwen Zhang, and Husam Kinawi. 2018. Android malware detection using large-scale network representation learning. arXiv preprint arXiv:1806.04847, https://doi.org/10.48550/arXiv.1806.04847
Index Terms
- Guided Retraining to Enhance the Detection of Difficult Android Malware
Recommendations
Smart malware detection on Android
Nowadays, because of its increased popularity, Android is target to a growing number of attacks and malicious applications, with the purpose of stealing private information and consuming credit by subscribing to premium services. Most of the current ...
Effectiveness of Android Obfuscation on Evading Anti-malware
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and PrivacyObfuscation techniques have been conventionally used for legitimate applications, including preventing application reverse engineering, tampering and protecting intellectual property. A malware author could also leverage these benign techniques to hide ...
Hartley's test ranked opcodes for Android malware analysis
SIN '15: Proceedings of the 8th International Conference on Security of Information and NetworksThe popularity and openness of Android platform encourage malware authors to penetrate various market places with malicious applications. As a result, malware detection has become a critical topic in security. Currently signature-based system is able to ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
July 2023
1554 pages
Copyright © 2023 Owner/Author.
This work is licensed under a Creative Commons Attribution 4.0 International License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 13 July 2023
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- University of Luxembourg
- European Union?s Horizon 2020 research and innovation program
- Luxembourg Ministry of Foreign and European Affairs through the Digital4Development (D4D) portfolio
- Fonds National de la Recherche (FNR), Luxembourg
Conference
ISSTA '23
Sponsor:
ISSTA '23: 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis
July 17 - 21, 2023
WA, Seattle, USA
Acceptance Rates
Overall Acceptance Rate 58 of 213 submissions, 27%
Upcoming Conference
ISSTA '25
- Sponsor:
- sigsoft
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 456Total Downloads
- Downloads (Last 12 months)320
- Downloads (Last 6 weeks)61
Reflects downloads up to 21 Nov 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in